Hi,
Running `sudo traceroute -T 8.8.8.8` (with TCP SYN mode, root perms. are needed) on Ubuntu 17.04 will produce DENIED
messages:
type=AVC msg=audit(1497186803.543:335): apparmor="DENIED" operation="open"
profile="/usr/{sbin/traceroute,bin/traceroute.db}" name="/proc/sys/net/ipv4/tcp_ecn" pid=6573 comm="traceroute"
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
type=SYSCALL msg=audit(1497186803.543:335): arch=c000003e syscall=2 success=no exit=-13 a0=7ffc1125cfb0 a1=0 a2=0
a3=560553475db0 items=0 ppid=6572 pid=6573 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2
ses=2 comm="traceroute" exe="/usr/bin/traceroute.db" key=(null)
type=PROCTITLE msg=audit(1497186803.543:335):
proctitle=7472616365726F757465002D5400382E382E382E38
type=AVC msg=audit(1497186803.543:336): apparmor="DENIED" operation="open"
profile="/usr/{sbin/traceroute,bin/traceroute.db}" name="/proc/sys/net/ipv4/tcp_sack" pid=6573 comm="traceroute"
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
type=SYSCALL msg=audit(1497186803.543:336): arch=c000003e syscall=2 success=no exit=-13 a0=7ffc1125cfb0 a1=0 a2=0
a3=560553475db0 items=0 ppid=6572 pid=6573 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2
ses=2 comm="traceroute" exe="/usr/bin/traceroute.db" key=(null)
type=PROCTITLE msg=audit(1497186803.543:336):
proctitle=7472616365726F757465002D5400382E382E382E38
type=AVC msg=audit(1497186803.543:337): apparmor="DENIED" operation="open"
profile="/usr/{sbin/traceroute,bin/traceroute.db}" name="/proc/sys/net/ipv4/tcp_timestamps" pid=6573 comm="traceroute"
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
type=SYSCALL msg=audit(1497186803.543:337): arch=c000003e syscall=2 success=no exit=-13 a0=7ffc1125cfa0 a1=0 a2=0
a3=560553475db0 items=0 ppid=6572 pid=6573 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2
ses=2 comm="traceroute" exe="/usr/bin/traceroute.db" key=(null)
type=PROCTITLE msg=audit(1497186803.543:337):
proctitle=7472616365726F757465002D5400382E382E382E38
type=AVC msg=audit(1497186803.543:338): apparmor="DENIED" operation="open"
profile="/usr/{sbin/traceroute,bin/traceroute.db}" name="/proc/sys/net/ipv4/tcp_window_scaling" pid=6573
comm="traceroute" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
type=SYSCALL msg=audit(1497186803.543:338): arch=c000003e syscall=2 success=no exit=-13 a0=7ffc1125cfa0 a1=0 a2=0
a3=560553475db0 items=0 ppid=6572 pid=6573 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2
ses=2 comm="traceroute" exe="/usr/bin/traceroute.db" key=(null)
type=PROCTITLE msg=audit(1497186803.543:338):
proctitle=7472616365726F757465002D5400382E382E382E38
type=AVC msg=audit(1497186803.543:339): apparmor="DENIED" operation="capable"
profile="/usr/{sbin/traceroute,bin/traceroute.db}" pid=6573 comm="traceroute" capability=12 capname="net_admin"
type=SYSCALL msg=audit(1497186803.543:339): arch=c000003e syscall=54 success=no exit=-1 a0=4 a1=1 a2=21 a3=7ffc1125bef0
items=0 ppid=6572 pid=6573 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=2
comm="traceroute" exe="/usr/bin/traceroute.db" key=(null)
type=PROCTITLE msg=audit(1497186803.543:339):
proctitle=7472616365726F757465002D5400382E382E382E38
This patch provides fixes for them:
[ 01-traceroute-tcp-mode.diff ]
=== modified file 'profiles/apparmor.d/usr.sbin.traceroute'
--- profiles/apparmor.d/usr.sbin.traceroute 2016-09-29 22:07:26 +0000
+++ profiles/apparmor.d/usr.sbin.traceroute 2017-06-11 13:06:02 +0000
@@ -15,6 +15,7 @@
#include <abstractions/consoles>
#include <abstractions/nameservice>
+ capability net_admin,
capability net_raw,
network inet raw,
@@ -23,6 +24,10 @@
/usr/sbin/traceroute mrix,
/usr/bin/traceroute.db mrix,
@{PROC}/net/route r,
+ @{PROC}/sys/net/ipv4/tcp_ecn r,
+ @{PROC}/sys/net/ipv4/tcp_sack r,
+ @{PROC}/sys/net/ipv4/tcp_timestamps r,
+ @{PROC}/sys/net/ipv4/tcp_window_scaling r,
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.sbin.traceroute>
Thanks.
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
